Most certificates managed by autocert require manual renewal
1,620 views
Skip to first unread message
Roland Shoemaker
Jan 26, 2022, 7:09:27 PM1/26/22
to golan...@googlegroups.com
Hello gophers,
The Let’s Encrypt certificate authority is revoking all certificates issued with the TLS-ALPN-01 verification method before 00:48 UTC on 26 January 2022 due to a compliance issue. (Read more in the Let’s Encrypt announcement.) As TLS-ALPN-01 is the preferred and default verification method used by golang.org/x/crypto/acme/autocert, most certificates managed by autocert will be revoked beginning at 16:00 UTC on 28 January 2022. This will cause connection errors on some platforms.
We recommend updating the golang.org/x/crypto module to version v0.0.0-20220126234351-aa10faf2a1f8 (or later), which will automatically renew potentially affected certificates issued before Let’s Encrypt deployed their fix.
Alternatively, delete ALL files in the autocert cache EXCEPT "acme_account+key" or "acme_account.key", and restart the application. If using autocert.NewListener on Linux, the cache is located at $XDG_CACHE_HOME/golang-autocert or $HOME/.cache/golang-autocert.
In order to get notified of similar issues in the future, we recommend setting the Manager.Email field.
Cheers,
Go Security team
The Let’s Encrypt certificate authority is revoking all certificates issued with the TLS-ALPN-01 verification method before 00:48 UTC on 26 January 2022 due to a compliance issue. (Read more in the Let’s Encrypt announcement.) As TLS-ALPN-01 is the preferred and default verification method used by golang.org/x/crypto/acme/autocert, most certificates managed by autocert will be revoked beginning at 16:00 UTC on 28 January 2022. This will cause connection errors on some platforms.
We recommend updating the golang.org/x/crypto module to version v0.0.0-20220126234351-aa10faf2a1f8 (or later), which will automatically renew potentially affected certificates issued before Let’s Encrypt deployed their fix.
Alternatively, delete ALL files in the autocert cache EXCEPT "acme_account+key" or "acme_account.key", and restart the application. If using autocert.NewListener on Linux, the cache is located at $XDG_CACHE_HOME/golang-autocert or $HOME/.cache/golang-autocert.
In order to get notified of similar issues in the future, we recommend setting the Manager.Email field.
Cheers,
Go Security team
Reply all
Reply to author
Forward
0 new messages